HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46522Published Modified CNA GitHub_M

CVE-2026-46522: ImageMagick: Infinite Loop in the MIFF decoder can lead to CPU exhaustion

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2.23 and 6.9.13-48, due to a missing check in the MIFF decoder, a crafted file could cause an infinite loop resulting in CPU exhaustion. Versions 7.1.2.23 and 6.9.13-48 fix the issue.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An infinite loop vulnerability in the ImageMagick MIFF image decoder allows a remote, unauthenticated attacker to exhaust CPU resources by submitting a crafted image file. The flaw is reachable over the network with no privileges or user interaction required, making it straightforward to trigger against any service that processes untrusted images through ImageMagick. Successful exploitation causes a denial of service by pinning CPU usage, rendering the affected process or host unresponsive. No fix versions have been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-46522 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle ImageMagick directly. Any image in a connected registry or CI pipeline running an affected version of ImageMagick (before 7.1.2-23 or 6.9.13-48) is flagged automatically.

Available
Triage

Triage capability is available using the CVSS v3.1 score of 7.5 (HIGH), derived from the published vector, and can be weighted further against each customer environment's compliance policy to prioritize images exposed to untrusted file uploads. Findings are routable to the team or inbox configured for each customer org, so the right engineers see the alert without manual sorting.

Available
Patch

Because no upstream fix has been published for CVE-2026-46522, HarborGuard re-checks the advisory on every ingest cycle. The moment ImageMagick releases a patched version, a rebuilt image at that version becomes available, and customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads automatically.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable decoder is reachable over the network; an attacker must be able to submit a crafted MIFF file to a service that processes it with ImageMagick.

  • AuthenticationNot required

    No credentials or account are needed to trigger the infinite loop; any client that can deliver a file to the processing endpoint is sufficient.

  • Victim interactionNot required

    The vulnerability triggers during automated image processing with no action required from an end user or operator.

  • Attack complexityDetail

    Attack complexity is low; exploitation is reliable and requires no special conditions, race windows, or environmental dependencies beyond delivering the crafted file.

Blast Radius

  • The affected ImageMagick worker process enters an infinite loop, consuming all available CPU on the thread handling the request.
  • Sustained or repeated submissions of crafted MIFF files can pin CPU utilization and starve other processes running on the same host or container.
  • In containerized environments without CPU limits, the exhaustion can spread to neighboring workloads sharing the same node.
  • Image processing pipelines that depend on ImageMagick (format conversion, thumbnail generation, metadata extraction) become unavailable for the duration of the attack.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-46522 is monitored continuously because no upstream patch exists at this time. Every ingest cycle, HarborGuard re-checks the ImageMagick advisory; when versions 7.1.2-23 or 6.9.13-48 are published, a patched-image rebuild becomes available immediately, and customers with auto-remediation enabled will receive an automatic rebuild, regression-test run, and PR opened against affected workloads. In the interim, recommended compensating controls include applying CPU limits to containers running ImageMagick, isolating image-processing services behind an internal network policy that restricts which clients can submit files, filtering or rejecting MIFF-format uploads at the application or ingress layer, and routing untrusted file processing through a sandboxed sidecar with strict resource quotas. Customers whose compliance policy blocks auto-remediation will see the patched rebuild surfaced in the HarborGuard dashboard for manual promotion when it becomes available.

See how HarborGuard automates this
Affected packages
  • ImageMagick / ImageMagick
    < 7.1.2-23 · < 6.9.13-48
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References